Primary

Context

Spring Framework Improper Path Limitation Vulnerability in Script View Templates

Vulnerability

Patched

A vulnerability exists in Spring Framework versions 5.3.0 through 5.3.46, 6.1.0 through 6.1.25, 6.2.0 through 6.2.16, and 7.0.0 through 7.0.5. When Java scripting engines like JRuby or Jython are enabled, template views in Spring MVC and Spring WebFlux applications can inadvertently expose content from files located outside the designated script template view directories. This issue arises when the application has a mapping for '/**' that triggers view rendering without an explicitly specified view name.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of file contents from outside the allowed script template view locations.

Remediation

Users should upgrade to Spring Framework 7.0.6, 6.2.17, 6.1.26 (commercial), or 5.3.47 (commercial).

Added: Mar 20, 2026, 12:28 AM

Updated: Mar 20, 2026, 12:28 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.3

exploitability

4.3

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.3

exploitability

4.3

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Improper Path Limitation Vulnerability in Script View Templates

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating